Jan 04 2021
- last edited on
Jan 14 2022
We plan to disable AADconnect dirsync to go full cloud and use only Azure AD.
AD OnPrem domain use a very "light" password policy, less restrictive than Azure AD.
- Complexity : Disabled
- Minimum password lenght : 6 characters
On Azure AD:
- Complexity : Enabled
- Minimum password lenght : 8 characters
- We use the global setting "password never expire" and default settings.
With the Azure AD global setting "password never expire" : when all users go "Cloud Only" there will be no impact, right ?
Even if they have only a 6 characters password without complexity, they can continue to use this password with an Azure AD cloud only account?
Jan 04 2021 01:49 PM
Jan 05 2021 12:58 AM
Jan 05 2021 01:00 AM
Jan 05 2021 01:03 AM - edited Jan 05 2021 01:05 AM
Yes but when they will be forced to change the password if Tenant is set with « password never expire » ?
- what will be the impact for user when he connect the first time with the cloud-only the Azure AD account, with a 6 characters password and the Tenant set with « password never expire » ?
It’s like an AD Onprem password policy ? : Password Policy only evaluated when the password is changed or expired ?
-> so no impact for user connexion even if the current password don’t meet the AzureAD password policy ?
Jan 05 2021 01:25 AM - edited Jan 05 2021 01:52 AM
Hi, enable SSPR while you’re at it. As for the password if it doesn't meet the policy requirements, the user is prompted to try again.
Jan 05 2021 02:07 AM
Thanks @ChristianBergstrom for your answer.
Do you meen "If the password doesn't meet the policy requirements, the user is prompted to try again " : at the user connexion ?
My question is only related to user connexion, because password policy is set to never expire.
I haven't seen any Microsoft document that indicates that the password need to meet the AzureAD password policy at the user connexion.
For me the AAD password policy work like AD password policy : the password policy evaluation is made only when a user change the password, not at the connexion.
Did you have perhaps a reference?
We will activate SSPR only after the Tenant will be full cloud, but all users will not be complient, and want to minimize the impact when Tenant will switch to full cloud.
Jan 05 2021 02:36 AM